Contact +49 661 9642-0




What requirements must a GDPR-compliant CRM system meet?

Data protection is a sensitive issue today. The EU General Data Protection Regulation (GDPR) strictly regulates the use of personal data (hereinafter: personal data), the non-compliance of which can sometimes lead to very large fines.
GDPR in CRM title image for wiki page from GEDYS IntraWare

A representative survey by the digital association Bitkom in 2020 showed that by September of the year, only 20% of the 500 companies surveyed had fully implemented the GDPR. 56% even said that innovative business projects had failed due to the GDPR. But more than half also thought that the GDPR would set standards for the handling of personal data worldwide and bring competitive advantages for EU companies.

For the management of successful customer relationships, the collection and processing of personal data in a CRM system is indispensable. And not only in the interests of the companies, but also in the interests of customers and interested parties.
For this reason, we have collected important information about GDPR in CRM in a compact way.

1. The EU GDPR compact

Since 25 May 2018, the EU GDPR has been in force throughout Europe and regulates the handling of personal data by companies and public authorities.

The main aim is to strengthen personal rights to informational self-determination. The EU GDPR applies to all companies in the EU that store and process personal data. But beware: Companies outside the EU must also comply with the GDPR if they offer their services or products to EU citizens and collect and use their data!

2. What are personal data?

Personal data refers to any information relating to an identified or identifiable natural person , such as:

GDPR in CRM: Capture image of personal data, GEDYS-IntraWare
  • First name and last name
  • Address
  • Sex
  • Telephone number
  • Email address
  • IP address

Information in the business environment can also be personal data, such as:

  • Contact details of contact persons at
    Customers or suppliers
  • IP addresses of website visitors
  • List of newsletter recipients

3. What does the “processing of personal data” mean?

The “processing” of personal data basically means any handling of the data described in point 2.

  • Collecting (e.g. by questionnaire)
  • Capture (e.g. by form, software or camera)
  • Save (e.g. in a database, Excel file or file)
  • Change (e.g. Update)
  • Submit (e.g. to an authority or affiliated entity)
  • Matching and linking
  • Locking or deleting

Examples from everyday practice include storing contact data of your customers’ contact persons (B2B) in your CRM system or collecting addresses for sending newsletters or simply placing an order.

By the way, this also includes the recording of personalinformation of applicants for a vacant position in your company.

4. Personal data in the company

What do companies need personal data for?

When selling products and services, you need to convince potential customers of your quality. To do this, you need to know a lot about your future customers in order to choose the right approach and communication channels. For each channel you need address data of your recipients, for email marketing and newsletter e.g. you need entire recipient lists. But you also need personal data for commercial processes.

Which departments work with the personal data?

The first thing to think about is the checkout and the accounting. But in fact, some other departments are working with your customers’ personal data before or after the purchase. For example, there’s yourmarketing chasing new leads, your sales recruiting new customers, or even your service taking care of your customers.

Is the handling of employee data also regulated in the GDPR?

The GDPR not only protects customer data, but also data from employees – from the application to the end of employment.

The GDPR stipulates that personal data, including employee data, may only be processed if this is permitted by a specific legal basis or consent of the employee. This legal basis can be found in the Federal Data Protection Act. This means that employers may process such personal data as is required for the commencement, performance or termination of an employment relationship even without consent.

Today, the most important employee data is usually collected in a digital personnel file. This file must be protected by the employer from outside access.

In addition, employee data is required for user administrations to securely control access rights to digital applications and customer data.

What software do you need to manage personal data?

For GDPR-compliant management of personal data, you need a CRM software that guarantees the rights and security of your customers while protecting you from risking heavy fines in the event of process errors. Transparency, optimal coordinated processes and a central data storage for a complete overview supports the GDPR regulations in CRM better than a collection of Excel sheets distributed via various servers.

5. When is the processing of personal data
in CRM allowed?

5.1 Legality
for the processing of personal data is given if the GDPR allows it. To do so, there must be a “legal basis” for the processing as follows:

  • Execution of the contract: the processing is necessary for the execution of a contract with the person, such as using the address of the customer to ship the ordered product.
  • Fulfillment of laws: In order to fulfil legal obligations, data processing is required, such as to demand and store the identification data of contractual partners in accordance with the Money Laundering Act.
  • Eligible interests: The company has a legitimate interest in processing. There are no less intrusive alternatives. The conflicting interests of the persons concerned do not prevail. For example to view the business letters of a sick employee to handle urgent customer requests.
  • Consent: The data subject has informed himself and clearly consented to the use of the data, such as a customer who subscribes to the newsletter.

5.2 Purpose limitation:
Use data only for the purposes for which it was originally collected or that are compatible with those original purposes.

5.3 Data minimization:
Do not collect and use more data than is necessary for the specific purpose (no storage on stock). For example, it is not necessary to query names and employers to send newsletters.

5.4 Memory limit: Delete personal data when it is no longer needed. For example, after the expiry of the statutory
retention period after 10 years.

5.5 Accuracy:
Correct incorrect or incomplete data.

5.6 Data security:
Protect data sufficiently against access by unauthorized persons, against loss and falsification.Compliance with data security according to GDPR in CRM is ensured, for example, by role concepts, passwords, encryption and a firewall.

Attention: Prohibition of processing of sensitive data

In some cases, the GDPR makes additional requirements for data handling. These also apply to the GDPR in CRM:
A generalban on processing applies to sensitive data. This is the case, for example, with data on health, religion, political opinions, trade union membership or sex life. Only in the case of justified exceptions and under particularly strict requirements is processing permitted, such as consent, labour law and social security obligations, etc.

6. GDPR in CRM

This must provide your CRM functionally for GDPR compliant data processing

Of course, a whole host of functions and coordinated processes can make your daily work easier to comply with the DGSVO requirements. We have collected the core functionalities that your CRM system must offer in order to be able to work in compliance with DGSVO.

Right to information

A person wants to know what personal data is stored about them. Perhaps it also asks what purpose the data is processed or for which processing the personal data is used. You are obliged to answer these questions.

This applies, for example, to mailings & evaluations with mailing programs, use in campaigns, in the service desk or in third-party systems.

Right to beforgotten

A person wants their personal data to be deleted.
This is only possible if other laws do not require that the personal data be kept or if there is another interest in preserving this data.

Other laws are, for example,
– Commercial Law
– Tax law
– Criminal law


Whenever personal data is collected, changed, deleted, combined or processed, it must be logged.

In CRM, this is possible via the document history. Here it is noted:
Who has what,
and why done.
All histories are available at any time.

Obligation to provide proof

The storage of personal data requires the consent of the person concerned. Consent must be documented in writing.

In CRM, for example, via a scanned business card, by e-mail or via a form with double opt-in.

Data economy

Personal data collected must be proportionate to the purpose and also limited to a necessary extent. In addition, they are only to be kept for as long as they are actually needed.

The implementation of a deletion concept in CRM is necessary.

Right to data portability

Persons have the right to have their personal data handed over in a common format.

From the CRM, this is possible, for example, via “Contact at a glance” as an Excel export.

Right to Restrict processing

Personal data may be retained but NOT processed automatically.

Personal data may therefore only be stored in the CRM, the use is only permitted if there is a consent.

Right to object

A person may object to the processing of his personal data. You must be informed of your right to object at the time of the first communication.

After an objection of a person, his data must be inactive in the CRM & may not be processed automatically.


Users of a system processing personal data may only have access to the data that corresponds to their access authorization. All functions to view or export data must be protected accordingly.

This is ensured in CRM via role-based access rights.

7. Where is the personal data stored securely under the GDPR?

In some cases, the GDPR makes additional requirements for data handling. The export of data must ensure an adequate level of data protection even when data is transferred to bodies outside the European Union and the European Economic Area.

For certain countries, the EU Commission has decided that their data protection laws are sufficient (e.g.B for Japan, Israel, Switzerland). For all other countries, special contracts with data recipients usually have to be concluded. Until recently, companies in the U.S. were able to certify themselves after the Privacy Shield to ensure the level of privacy. Attention! The Privacy Shield agreement has been annulled by the European Court of Justice. There is currently no new agreement or anything like that.

Read also the blog article: CRM-Hosting in Germany

8. Who is liable for violations?

In the event of a breach, the Company shall be liable. Some companies have now received extremely high fines. In order to avoid this, you have to checkthe GDPR in your company for function, data storage and interfaces.

When you protect the data in your own data center, you have sovereignty and always know what happens to them. Hosting providers in Germany and Europe are also obliged to work according to the GDPR. On the other hand, you are liable for violations of platforms outside Europe.

The special feature of data storage for the respective CRM offers (On-Prem, Cloud, SaaS, Interfaces) is also discussed in the following blog articles:

9. Conclusion: The right CRM helps your company enormously in the implementation of the EU GDPR

By using a GDPR-compliant CRM system, you can simplify the adaptation to the EU regulation by a great deal. This way, your employees are data-protection-fit in no time! This is because you save the effort of adapting your workflows individually just to ensure that your employees work according to the new guidelines. In addition, you strengthen the trust of your customers and prospects in your company and you do not lose important customer information that serves as a basis for growth and innovation for your company.

Observe the developments of the EU Commission. Other legislative proposals are already under discussion: the Data Governance Act, which will be presented at the end of 2020, is a further step by the Commission to position the EU as a pioneer of data protection and to develop the issue of data protection into a competitive advantage.